Docs

Practical guide to Doorman: what users can do, how operators set it up, and how technical teams integrate auth, RBAC, billing, and usage.

Operations

Workers

  • pnpm --filter @doorman/worker aggregate: aggregate usage buckets.
  • pnpm --filter @doorman/worker sync-usage: export usage to billing provider.
  • pnpm --filter @doorman/worker sync-subscriptions: sync subscription state.
  • pnpm --filter @doorman/worker sync-invoices: sync invoice state.
  • pnpm --filter @doorman/worker usage-alerts: evaluate usage alert rules.
  • pnpm --filter @doorman/worker usage-retention: prune old usage data.

Email

Local Kratos and notification emails are captured by Mailslurper.

  • UI: http://localhost:4436
  • API: http://localhost:4437
  • SMTP: localhost:1025

Stripe

Use Stripe test mode locally. Doorman accepts unsigned Stripe webhooks in development if no signing secret is set, but real environments must set the signing secret.

STRIPE_DRY_RUN=0
STRIPE_API_BASE=https://api.stripe.com
STRIPE_SECRET_KEY=sk_test_...
STRIPE_WEBHOOK_SIGNING_SECRET=whsec_...

POST https://doorman.f1cs-dev.it/api/billing/stripe/webhook

Troubleshooting

  • OAuth redirect mismatch: recreate or update the OAuth client redirect URI exactly.
  • Missing RBAC claim: verify the token audience, app membership, tenant membership, and app role assignment.
  • Checkout fails: verify Stripe secret, base plan component, and real price_ ID.
  • No billing entitlement: poll subscription status and require is_active=true.
  • SSO provider not found: verify identity provider domain mapping and issuer/client settings.